Double blinding-attack on entanglement-based quantum key distribution protocols 
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We propose a double blinding-attack on entangled-based quantum key distribution protocols. The 
principle of the attack is the same as in existing blinding attack except that instead of blinding the 
detectors on one side only, Eve is blinding the detectors of both Alice and Bob. In the BBM92 
protocol, the attack allows Eve to get a full knowledge of the key and remain undetected even 
if Alice and Bob are using 100% efficient detectors. The attack can be easily extended to Ekert 
protocol, with an efficiency as high as 85.3%. 



Practical implementation of Quantum Key Distribu- 
tion (QKD) protocols |l| can be subjected to attacks 
exploiting the imperfections of the components used by 
the two parties (Alice and Bob) who wish to generate 
a shared key to encrypt their communication on a pub- 
lic channel. Most notable attacks are the time-shift at- 
tacks 0, 0| and the blinding-attacks The latter 
have demonstrated a full hacking of a QKD protocol, the 
eavesdropper (Eve) acquiring the exact knowledge of the 
sift key shared by Alice and Bob in a BBM92 protocol 
0. 

We propose here an improvement on the existing 
blinding-attacks by attacking both sides (Alice and Bob) 
instead of one. The advantage of our proposed attack is 
that it reaches 100% efficiency on both sides in the case 
of BBM92 protocol, and that it can easily be extended 
to cover the case of Ekert protocol [§[ . 



I. SINGLE BLINDING-ATTACK 



The existing blinding attacks [4|-|6[ on BBM92 protocol 
are intercept-and-resend type of attacks. Eve intercepts 
the signal intended for Bob, and performs measurements 
in random bases to obtain the raw key, as Bob would 
have done it. 

In order to hide her presence, for each successful mea- 
surement result that Eve obtains, she forwards to Bob 
a signal that deterministically gives him the exact same 
result whenever their measurement basis are the same, 
and no result at all (non detection) if they are diagonal 
to each others. 

To implement this idea with actual QKD devices, Eve 
blinds Bob's detectors to single-photon detection. She 
does so with various techniques |5j by forcing the detec- 
tors to exit the Geiger mode and enter the linear mode, 
in which the detector clicks only when the intensity of 
the signal reaching the detectors exceeds the preset dis- 
criminator threshold 2th- After each detection, Eve for- 
wards a bright pulse linearly polarized along the direction 
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corresponding to her own measurement result. When 
the bases chosen at random by Eve and Bob are iden- 
tical, the pulse deterministically produces a click in one 
of Bob's detectors. Because it is then either entirely re- 
flected or entirely transmitted at Bob's polarizing beam- 
splitter, Bob's measurement results are then the same as 
Eve's. In order to avoid double counts and incorrect re- 
sults whenever the bases chosen at random by Eve and 
Bob are diagonal to each others, Eve sets the intensity of 
the pulses such that it is lower than twice the threshold 
intensity in the detectors. The pulse is then split in half 
at Bob's polarizing beamsplitter whenever the bases are 
diagonal to each other, so that the output in either of 
Bob's detector is insufficient to overcome the threshold 
to produce a click. 

The point of the attack is that at the end of the raw 
key distribution, Eve owns an exact copy of Bob's key. 
So, if Alice and Bob are satisfied enough with the quan- 
tum bit error rate (QBER) measured on a subset of this 
key, Eve can listen to the error correction protocol that 
they implement and perform the exact same operations 
as Bob, and can obtain in the end an exact copy of the 
sifted key @. 

A weakness of single blinding-attacks is that Bob's key 
is on average half the size that he would have normally 
obtained in the absence of an attack, because in about 
half of the cases the bases chosen at random by Eve and 
Bob turn out to be diagonal to each others, and Bob's 
detectors do not click: the efficiency of this attack is by 
design fundamentally limited to 50% on Bob's side. 

Another weakness is that extending this type of attack 
to cover the case of Ekert protocol is not straightforward. 
To the best of our knowledge, actual attacks against Ek- 
ert protocol have yet to be implemented with real devices, 
and proposals to do so are not entirely satisfactory. For 
instance, in a proposal using blinding attack Q, rates of 
coincidences that would be expected equal from a genuine 
source of entangled state differ significantly, and that is 
something that Alice and Bob would not fail to notice. 

The double blinding-attack that we propose here ad- 
dresses these two weaknesses. The idea is simply to 
launch a blinding attack on both sides and to drive de- 
tection patterns inspired by existing local realist models. 
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II. DOUBLE BLINDING-ATTACK 



A. Attack on BBM92 protocol 



Regardless of the protocol used by Alice and Bob 
(BBM92 or Ekert), the implementation of a double 
blinding-attack on each side is similar to that of a single 
blinding attack, except that Eve is blinding all detec- 
tors instead of only those on Bob's side. Any practical 
implementation of a QKD protocol that is vulnerable to 
blinding-attacks would thus be immediately vulner- 
able as well to our proposed attack. 

A crucial difference however in the spirit of the attack 
is that it is not an intercept-and-resend attack: Eve is not 
measuring anything from the genuinely entangled source 
that was initially intended for Alice and Bob, let alone us- 
ing any information that she could possibly extract from 
this source. Eve is blocking instead this entangled source 
altogether and replacing it entirely by tailored pairs of 
bright pulses. 

To be more specific, Eve is sending pairs of bright 
pulses, with intensity Ia and polarization Aa for Alice, 
and intensity I B and polarization Ab for Bob, with the 
condition 

7T 

Aa = Ab — — = A, 

which guarantees that the measurement results will be 
correlated. 

Eve is randomizing the polarization A from one pulse 
to the other, using a uniform distribution on the circle in 
order to obtain an attack that is rotationally invariant, 
both at the single count level and at the coincidence count 
level. 

Consider Alice's side. By Malus law, the intensity of a 
pulse linearly polarized along A reaching the detectors 
and 1 at the output of the polarizing beam-splitter (PBS) 
oriented along a is: 



^A,o = I A cos 2 (A-0 A ) = I a 
I A ,i = / A sin 2 (A-0 A ) = /a 



1 + cos2(A-0 a ) 
2 

l-cos2(A-0 A ) 



(1) 



Once it is forced to exit the Geiger mode, a detec- 
tor clicks in the linear mode only if the signal intensity 
reaching this detector is greater than the threshold 7th 
that was set for the Geiger mode Q. For simplicity we 
assume that the threshold is the same in all detectors. A 
click is triggered in detector i if the intensity Ia,i is such 
that 



^A,i > I\ 



(2) 



and similarly on Bob's side the condition to obtain a click 
in detector i is 



th- 



(3) 



As we will see, for a given threshold J t h, the only pa- 
rameter that Eve needs to adjust is the brightness of the 
pulses, depending on which protocol Alice and Bob are 
implementing. 



In the BBM92 protocol Q, the security of the key is 
supposed to be guaranteed by a low enough QBER. The 
idea is that any measurement performed by Eve meant to 
extract some information from a source of genuinely en- 
tangled photons would necessarily introduce errors in the 
perfect (anti)correlation predicted for the singlet state. 

In the double blinding-attack, Eve is bypassing this 
difficulty by creating a source from scratch in which she 
has a full knowledge of the polarization and intensity of 
the pulses. 

The idea of the attack is to adjust the bright pulses 
such that the detection pattern behaves exactly like John 
Bell's local hidden-variable model 

9] 

, which was meant to 
reproduce the perfect correlation predicted for identical 
measurement directions on a singlet state [Toj | . 

Eve does so by adjusting the intensity of her bright 
pulses such that they have twice the threshold intensity 
/th to obtain a click in a detector: 



I A = I B = 2 I, 



th- 



Then, on Alice's side, the condition © to obtain a 
click with the outputs (fT]) becomes: 



cos2(A- 9 A ) > 
cos2(A-0 A ) > 



for a click in channel 0, 
for a click in channel 1. 



(4) 



Counting a click in channel as a +1 and a click in 
channel 1 as a —1, the measurement result A for Alice 
takes the form 



A(0 A , A) = sign cos2(A-0 A ). 



(5) 



Similarly, for the same pulse, the ir/2 shift in polariza- 
tion on Bob's side leads to a measurement result of the 
form 



B(0 B , A) = -sign cos2(A - B ) 



(6) 



For a uniform distribution of A over the circle, it leads to 
a correlation of the form 



£(0 B ,0 A ) = + - |0B 
7T 



(7) 



where |0 B - A | € [-f,+f]- 

The detection pattern of this attack is nothing but that 
of the local hidden- variable model given by John Bell in 
his 1964 article [9j, except that the angles given here are 
half of those given by Bell because he was considering the 
singlet state for spin 1/2 particles when we are consider- 
ing photons. A representation in Poincare sphere would 
have given us exactly the same angle dependence. 

The important property of this attack for the BBM92 
protocol is that whenever Alice and Bob are performing 
the same measurements = 0a — 9b, the correlation is 



E(9,t 



(8) 
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which means that their results are perfectly anticorre- 
latcd, exactly as predicted for the singlet state for identi- 
cal measurements. This perfect correlation for identical 
measurement is all that is needed to achieve a low QBER 
in a BBM92 protocol. 

It is worth noticing here that the conditions to obtain 
a click in a detector are mutually exclusive, so that there 
are no double-counts. Even more crucial is that there 
is always at least one detector that clicks, except in the 
case of A = #a, which can be ignored since it is a null set, 
so that the detection efficiency on each side is in effect 
equal to 100%. 

Blinding attacks against the BBM92 protocol are 
therefore unrelated to the detection loophole, contrary to 
what was usually thought. The effectiveness of the dou- 
ble blinding-attack rather highlights the intrinsic weak- 
ness of the BBM92 protocol which is only probing the 
perfect correlation in identical bases, something that 
is always accessible to local realist models (with Bertl- 
mann's socks type models). 



B. Attack on Ekert protocol 

In Ekert protocol, the security of the key is guaranteed 
by measuring a high enough violation of Bell inequalities 
[H, [HI . Extending the attack against BBM92 protocol to 
cover the case of Ekert protocol is straightforward. All 
Eve needs to do is lower the intensity of the pulses sent on 
one side (say, on Alice's side), such that J th < I a < 2/ th . 
On the other side (Bob's side), the pulses are the same as 
in the attack on the BBM92 protocol, that is Ib = 2Jth, 
so that the detection pattern remains as in Eq. (|6]). 

The simple consequence of these less bright pulses on 
Alice's side is that they do not always generate a click 
in one of Alice's detectors. This is enough to let her 
enter the realm of the detection loophole, and leads to 
an apparent violation of Bell inequalities on the sample 
of detected pulses (see [14[ and reference therein for an 
account on the importance of the discriminator threshold 
in the context of Bell inequalities violations) . The lower 
the intensity I a with respect to the fixed threshold Ith, 
the more pulses fail to trigger a pulse and the higher the 
violation of Bell inequalities measured on the sample of 
detected pulses [14 1. 

Setting the intensity of the pulses on Alice's side such 
that 



I A cos 2 a = I th , 

the condition (|2|) to obtain a click on Alice's side becomes: 

cos2(A — 6a) > cos 2a for a click in channel 0, 
cos2(A — 9a) > cos 2a for a click in channel 1. 

(9) 

so that whenever the condition 



is fulfilled, neither detector clicks. 

Counting a click in channel as a +1, a click in channel 
1 as a —1, and a non-detection as 0, the measurement 
result A for Alice becomes: 



when a < \X — 0a\ < a, 

1 1 2 (11) 



A(0 A ,A) = O 
A(6*a, A) = —sign cos 2(A — 9a) otherwise, 



for (A — 9a) G [— 7r/2, 7r/2], and the correlation measured 
by Alice and Bob on the sample of detected pulses then 



0a| < ^ - a, 



takes the form 






' E(0 B ,9 A ) 


= -1 for < \0 B - 


< 


E(e B ,e A ) 


= +1 for- + a< 
4 




^ E(9 b ,9a) 


a 4 y 


for 1 


9b - 9 A ) G 


[-7r/2 )7 r/2]. 



-0 A \ < 



2' 



otherwise, 



(12) 



With a = - JL 7 =, the above correlation leads to a cor- 



4\/2 



relation with magnitude ^- for the angle differences 
\9b — 9 a \ = f used in Ekert protocol, and that means 
a violation of the Bell-CHSH inequalities measured on the 
sample of detected pulses of Schsh = 2\/2, which is the 
maximum predicted by Quantum Mechanics for a singlet 
state [lj]. 

It is worth noticing that this attack designed for Ekert 
protocol works without change if Alice and Bob perform 
a BBM92 protocol instead, because the correlation given 
by Eqs. (I12p when they perform identical measurement 
is equal to —1. 

Note also that, thanks to the rotational invariance of 
the source, the marginal probabilities are equal and in- 
dependent of the settings, and the correlation function 
depends only on the angle difference between the mea- 
surement performed by Alice and Bob, and not on their 
absolute values. The only way to spot this attack by look- 
ing at the statistics of the detected events would therefore 
consists in monitoring the detection efficiencies. 

On the side receiving the weaker pulses (here Alice's 
side) it is straightforward, using Eqs. ([TTj) . to evaluate 
the probability of detection p w for a uniform distribution 
of the polarization A: 



Pw = 1 

7T 



4a 

dA = — , 

7T 



(13) 



cos 2a < cos2(A — 9a) < cos 2a 



(10) 



that is, p w = ^= with a = -^=. 

On the side receiving the stronger pulses (here on Bob's 
side) the probability of detection is equal to 1, so that this 
imbalance could reveal Eve's attack if left as such. She 
can however hide this behavior by sending alternatively 
(or randomly) the weaker pulse on either Alice's side or 
Bob's side. Then the detection efficiency rj, which is the 
probability for a pulse to be detected on either output 
channel, becomes the average of the probability to detect 
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a strong or a weak pulse, that is, 

r; = i(l+Pw) = i(V2 + 2)« 0.853. (14) 

This efficiency is greater than the efficiency bound of 
82.8% above which no local realist model reaching the 
maximum violation of Bell-CHSH inequalities predicted 
by Quantum Mechanics exists [T3, [H| • 

In order to explain this seemingly surprising behavior, 
a first point to notice is that the non-detections are not 
independent in this attack: there is always at most one 
pulse that remains undetected, the strong one being al- 
ways detected. So, the proof of the bound given by Garg 
and Mermin [l6| simply does not apply here. 

A second important point is how the efficiency is ac- 
tually defined and estimated. It is known that assuming 
the independence of non-detections is not a necessary 
condition to derive the bound [l2j], but it is then estab- 
lished for a conditional efficiency 772,1: the probability for 
a photon to be detected on one side given that its corre- 
sponding photon (from the same pair) was detected on 
the other side. Its relevant Bell-CHSH inequality then 
has the same form as derived by Garg and Mermin (l6j : 

Schsh < 2, (15) 

??2,1 

with 7724 > 2/3 [12] . The maximum value 2^/2 predicted 
by Quantum Mechanics for 5chsh [HI exceeds the right- 
hand side of this inequality if 772.1 > 2(\/2 — 1) « 0.828. 
It means a bound on this conditional efficiency of 82.8% 
to invalidate local realism. 

Now, assigning the same bound not just to the condi- 
tional efficiency 772.1 but rather to the actual detection 
efficiency 77 (which is what we have calculated above for 
the double-blinding attack) is not immediate. 

One can assume independent non-detection events, as 
was done by Garg and Mermin [l6[, so that 77 = 772,1 and 
the bound derived for the conditional efficiency 772,1 is 
then valid just the same for the detection efficiency 77. 



In a case however in which the assumption of indepen- 
dence is not fulfilled, as with the double-blinding attack, 
the bound on the conditional efficiency 772,1 cannot be ex- 
tended directly to the detection efficiency n. One needs to 
use another inequality given by Larsson [12j between the 
conditional efficiency and the detection efficiency, that is 
772,1 > 2 — -, which leads to a less stringent Bell-CHSH 
inequality, this time as a function of the detection effi- 
ciency 77: 

2 

Schsh < r, (16) 

27/ — 1 

with 77 > 3/4 [ijj]. The maximum value 2-\/2 predicted by 
Quantum Mechanics for S'chsh exceeds the right-hand 
side of this inequality if 77 > + 2) w 0.853. It 

means a bound on the efficiency 77 of 85.3% to invalidate 
local realism (and therefore a possible attack on Ekert 
protocol). 

Alice and Bob should therefore be wary of how exactly 
they measure the efficiency in their Quantum key distri- 
bution protocol. 

If the number of emitted pair of pulses is unavailable to 
them, they can only estimate the conditional efficiency, 
by dividing the number of single counts by the number 
of emitted pair of pulses, and the bound is indeed 82.8%. 
In fact, in the double blinding-attack, their estimation of 
the conditional efficiency would be equal to the familiar 
bound, that is 772,1 = ^ = 2(-\/2- 1) » 0.828, because 
the probability to detect a pair is simply equal to the 
probability p w to detect a weak pulse. 

If however they know the number N of emitted pair of 
pulses and can evaluate the detection efficiency directly, 
by dividing the number of single counts by the number of 
emitted pair of pulses, then the efficiency bound is 85.3%. 

Finally, it should be noted that if detectors with a lower 
efficiency are used, a simple way to deter the attack is to 
implement a fair sampling test flU fl9| . 
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